Started using Sandboxie - any advice?

Discussion in 'sandboxing & virtualization' started by raven211, Jun 30, 2011.

Thread Status:
Not open for further replies.
  1. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    What I've done is forced all my web-browsers into the defaultbox. µtorrent is not in there cause I trust my common sense and manual scanning for things that seem fishy. Is there anything else like DropMyRights-clone settings that should be applied? What should I simply do except forcing my web-browsers and what other apps. should/could be forced without issues?

    Thanks
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Drop Rights always helps unless your testing installations. Also enable Experimental Protection if you're on a 64-bit system. There are Internet Access and Start/Run Restrictions as well.
     
  3. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    What complications could there be with Drop Rights for me as a gamer and generally a user who likes avoiding too many steps? Are there any good examples of very useful restrictions in those mentioned areas?
     
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    create as many sandboxes you need.
    example:

    Browser Sandbox:
    forced Internet Explorer to run in this sandbox
    restrict: only allow iexplore.exe to run/ and access internet.
    drop rights.


    Download directory Sandbox:
    forced download directory in this sandbox. (example: C:\Users\your username\Downloads)
    restrict: no internet access
    drop rights


    Gaming sandbox:
    just install your games here :)

    Testing box
    drop rights and test your softwares here:D
     
  5. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Get Xmarks to keep your passwords/user names from getting deleted on exit.
     
  6. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    I thought xmark is for bookmarks and lastpass for passwords.. maybe i am missing something here:doubt:
     
  7. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Xmarks can do passwords and user names and other things.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    No complications on virtually all browsers and games, unless you're installing them. Internet Access Restrictions prevent malicious programs from phoning home. Start/Run prevents them from executing.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    One step you could also take is to close access to any folders where you may have information you consider private.

    Example. Imagine you don't want the browser's sandbox to access your Documents folder. You just block access to the Documents folder.
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Force anything that connects to the internet, also your mail Mail client, PDF
    reader, video players, etc and force them into their own sandbox.
    You should create a sandbox for each forced program, that way you can set
    each sandbox differently. Different settings, for different programs. You ought
    to force each browser into its own sandbox instead of how you have it now.

    Bo
     
  11. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    ... since they have their own set of data, got it. :D

    I wanna thank all of you for the advice, this is one of the things I love learning.



    A question: When I add My Documents for blocking from my browsers (each separated now), it tells me I should add Windows Filesharing. How do I do that or does it do it for me?
     
    Last edited: Jul 1, 2011
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Just apply, Sandboxie will add it automatically. ;)

    Bo
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Do not stop!

    PS. Sorry, could not resist :)
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Regarding DropRights -
    When enabled, a process started within the sandbox is treated as a USER. This means the process would have no rights to areas such as windows and program files, exactly the same as the real OS. The obvious example is that executing a setup.exe would fail to install anything if it was destined for program files. It keeps the sandbox "environment" free from any problems usually, because malicous programs cannot install in restricted areas.

    DropRights will not prevent things from being installed to user allowed areas, such as MyDocs etc. Keyloggers and company that install to user areas can then run in the sandbox "environment", at least until you delete the contents of the sandbox.

    When DropRights is disabled, you are free to execute anything with no restrictions. If a trojan is installed in the sandbox, it is allowed. It will remain until you delete the sandbox contents. The trojan however would be contained to the sandbox, so it would only effect you when you ran something within that sandbox.

    Regarding separate sandboxes-
    Some like it, some don't. There are some distinct advantages, of which BoElam has pointed out likely the best reason - customize each sandbox for your own purposes rather than make everything fit into one. This can be a little confusing at first and take more time, but the end result is IMO much better. You don't have to do this, you can get along fine with only one sandbox, however, you lose some fine control.

    For example, if you use browser A to surf generically, you might think to put it in a generic sandbox. If you use browser B to go to accounts or more sensitive surfing only, you might want to delete its contents every time you use it, thus making sure it always starts in a clean "environment". If you lump browser A and browser B into the same sandbox, you have to make a choise to either NOT delete the sandbox to keep browser A in a more convenient state so it remembers data across using, or you keep browser B happy by deleting the sandbox contents, but then have to live with that decision for browser A.

    More granular control will be achieved by making browser A NOT delete every time it is used, and by ALLOWING a different sandbox for browser B to be deleted every time.

    Regarding restrictions -
    It can be prudent to configure a sandbox to disallow ANY reading of certain things, not only directories that have your sensitive data, but also registry keys. You can block programs within the sandbox from not only reading but also writing. I always have my sandboxes disallow modifications of any autorun locations. In this manner, if the sandbox does get a trojan or something of that nature, it may have installed, but if it tries to set an autorun value, it is denied.

    Suppose you have a sandbox for browser A. You might consider restricting network access to only browser A. This way, even if a program starts, it has no network access at all, unless it is browser A. Stops keyloggers from phoning home as an example.

    You might consider only allowing browser A to execute. In this way, ONLY browser A will be allowed to start within the sandbox. No other program may run.

    You might consider that you use browser A and PDF-Reader-Z, and both of these programs will be the ONLY thing allowed to run, the ONLY thing allowed to have network access, within this specific sandbox.

    Regarding direct access and other such settings -
    These settings give sandboxie (or anything running in the sandbox) direct access to a directory or files. This can be both good and bad. On the good side, if you always download everything to one place, you can give all your sandboxes direct access to that area, so that when you download something within the sandbox, and save it to this special location, there is no need to recover items from the sandbox to the real location, because you gave direct access. The item(s) were saved there and need no recovery.

    The bad side of this is if you allow a directory that might be used against your or contain sensitive infos. Think of direct access carefully before implementing.

    HTH>

    Sul.
     
  15. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    As part of the customisation when using multiple sandboxes, it's not a bad idea to make sure that each sandbox is easily identifiable, perhaps using a different coloured border for each one as a visual reminder. That way, the risk of entering sensitive data by accident into a sandbox intended for general use is minimised.

    I realise that you would do this kind of thing automatically, but I just thought I'd mention it for the benefit of any less experienced users who may be reading this thread.

    Excellent post by the way! :)
     
  16. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Love you Sully <3
     
  17. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Thank you for this excellent tip
     
  18. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    You're welcome. :)

    Regards
     
  19. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    377
    Interesting idea Sully, could you share how you set this up?
    thanks
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Here is a perfect example. In your sandbox, under ResourceAccess>RegistryAccess, you can choose to allow direct access or block access or allow read-only access. One thing you can do is to set your autorun registry keys to read-only or block. Here is one common registry autorun key that you might want to restrict
    Code:
    ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Under ResourceAcces>FileAccess you could set some key files or directories to read-only or block them. As an example, one would have had this in the list as Read-only
    Code:
    c:\io.sys
    c:\autoexec.bat
    Many already use other forms of restrictions such as what processes are allowed to run, what processes are allowed network access.

    I can't tell you much on how to set up restrictions other than common items such as those I've just mentioned. Apart from those, you need to decide what you want off-limits. Usually it is either directories that house your personal data, or you want to block access to certain files for some reason. Just one of the reasons I really like using SBIE, because I am free to get as lean or heavy as I want to with it, but no matter how heavy I get with it, it never bogs it down with too many rules etc.

    Sul.
     
  21. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    The main and most important things to setup are...:

    - Force IE/Firefox/Chrome etc into SandboxIE.
    - Make sure to delete Sandbox at end of sessions.
    - Limit The Internet access.
    - Drop User rights

    Right Click tray icon, click "Show Window", then click "Sandbox" > "Default Box" > "Sandbox Settings"...

    In settings window, on left side click on "Delete", then "Invocation" and on the right side check "Automatically delete contents of Sandbox" ... Preferably add a secure deletion program to it as well, ie, eraser.

    Now move on left side to "Program Start", then "Forced Programs", on the right, either add by Name or Filename and add your browser, Email Client etc.

    Next move on left side to "Program Stop", then "Leader Programs", on the right either add by name or filename and add your your browser, Email Client etc.

    Then move on the left side to "File Migration" and on the right change the size to any relevant sized apps you might be running, mines configured for 512000 (500MB).

    Then move to "Restrictions" on the left, then "Internet Access" and add only those applications you want to allow internet access.

    Then while still in "Restrictions" click on "Drop Rights", on the right hand side check "Drop rights from Administrators and Power Users groups".

    Now, click on "Resource Access" > "File Access" > "Full Access" and on the right add your "Downloads" directory, or any other routine "Save to" directory. This is useful as it becomes annoying to constantly recover files.

    While under "File Access", click on "Read-Only Access", on the right add the Windows, Programdata and Program file directories as read only.

    On the left click on "Applications" > "Web Browser" > (whatever browser you are using) and on the right enable as many Direct Access things you may need. Then click on "Email Reader" and do the same thing on the right. Then do same thing with "PDF Reader" etc until all your applications have been covered.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You don't need to give Full Access. Direct Access is more than enough.
     
  23. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Nice post, but you should really do the decent thing and quote the original poster to give them some credit:
    http://forums.whirlpool.net.au/archive/1475164
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I was wondering how someone like him could post something like that.
     
  25. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    :D :D
     
Loading...
Thread Status:
Not open for further replies.